Work From Home Spikes RDP Usage: Why That’s Risky For Businesses

April 3, 2020

As more companies go to a remote workforce due to COVID-19, IT departments everywhere are rearchitecting their environments on the fly while often navigating uncharted waters.

Now that we have aggregated a few weeks of customer data from the Arctic Wolf platform since the situation began, we’d like to share what we’re seeing across our customer base to provide a better understanding of how work-from-home (WFH) policies impact the exposure of organizations as a whole.  

Remote employee working in front of their laptop.

The Dangers of Remote Desktop Protocol

One very alarming trend is that the use of the Remote Desktop Protocol (RDP) for managing remote laptops has increased by 62 percent over the last month as organizations shift to WFH scenarios. This is risky, because RDP has a history of security issues and publicly disclosed vulnerabilities and many organizations are slow to patch their systems for known exploits.

A recent blog post from Shodan—the company that crawls the internet 24/7 to provide the latest internet intelligence—examined trends in internet exposure that validates this trend on a more global scale According to its founder, John Matherly:

"The number of devices exposing RDP to the Internet has grown significantly over the past month (41.5%) which makes sense given how many organizations are moving to remote work."

A common tactic many IT departments use to protect against RDP attacks is deploying the insecure service on a non-standard port in hopes of obscuring it from detection. We took a look at what this behavior looks like across our customer base, examining the activity of devices exposing RDP to the internet through a commonly used alternate port (3389): 

Chart for Count by Timestamp: Month. The numbers have risen dramatically since February.
 
Figure 1: Use of RDP on Port 3389 over time from the Arctic Wolf Platform

Our chart also displays a roller coaster of spikes and declines in RDP activity due to two major factors. First, a rapid increase in December following the announcement of a major vulnerability on the Citrix platform. Next, a significant decline as Microsoft announced an RDP vulnerability which had IT managers looking for remote desktop alternatives.

How Cybercriminals Take Advantage

There are a number of malicious activities that an attacker can deploy when they have control of a server or a workstation, such as clearing log files, disabling security software, or exfiltrating data from the server. 

Most notably, a vulnerability known as BlueKeep—which gained attention in 2019—could allow an attacker to remotely control a PC if the device was not properly patched. That same vulnerability was leveraged in similar ways to spawn the highly publicized WannaCry ransomware attacks.  

What You’ll Need to Do

If you use RDP to manage your remote workforce, make sure you run the most current version and have applied the most recent critical security updates from Microsoft. This isn’t always as easy as it sounds.

As remote workers move away from your trusted network, the broad visibility required to create actionable insights for cybersecurity can be limited, which leaves you exposed to potential exploits. If you’re an IT manager, you may be too overwhelmed with alert and the day-to-day operations of the business during this uncertain time to actively detect threats or critical vulnerabilities. 

Arctic Wolf’s team of security experts is here to help you monitor your changing environment 24x7, triage critical threats, and use our unique knowledge of your environment to tailor security outcomes directly to your business. 

If you're looking for further information on how to effectively manage work from home scenarios, check out some of our related resources:

 

Previous Article
COVID-19 Weekly Threat Roundup: April 3
COVID-19 Weekly Threat Roundup: April 3

Covid-19 Weekly Threat Roundup is a new series designed to help our customers and the broader cybersecurity...

Next Article
5 Resources to Help Manage Your Businesses’ Cybersecurity During Uncertain Times
5 Resources to Help Manage Your Businesses’ Cybersecurity During Uncertain Times

Remote working arrangements present their own set of unique cybersecurity challenges, check out these 5 res...